logo

Database

Lack of data validation In undici

Description

undici before v5.8.0 vulnerable to CRLF injection in request headers

Impact

It is possible to inject CRLF sequences into request headers in Undici.

const undici = require('undici')

const response = undici.request("http://127.0.0.1:1000", {
  headers: {'a': "\r\nb"}
})

The same applies to path and method

Patches

Update to v5.8.0

Workarounds

Sanitize all HTTP headers from untrusted sources to eliminate \r\n.

References

https://hackerone.com/reports/409943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116

For more information

If you have any questions or comments about this advisory:

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-311502. NVD-2022-311503. OSV-2022-311504. OSV-DEBIAN-2022-311505. GHSA-3cvr-822r-rqcc6. GCVE-2022-311507. SECURITY-TRACKER-CVE-2022-31150

References

1. https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc2. https://github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe932593. https://hackerone.com/reports/4099434. https://github.com/nodejs/undici/releases/tag/v5.8.05. https://security.netapp.com/advisory/ntap-20220915-0002

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.